kyverno/pkg/cel/policy/policy.go

package policy

import (
	"context"

	"github.com/google/cel-go/cel"
	"github.com/google/cel-go/common/types"
	"github.com/google/cel-go/common/types/ref"
	"github.com/kyverno/kyverno/pkg/cel/utils"
	"go.uber.org/multierr"
	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"k8s.io/apiserver/pkg/cel/lazy"
)

type CompiledPolicy struct {
	failurePolicy    admissionregistrationv1.FailurePolicyType
	matchConditions  []cel.Program
	variables        map[string]cel.Program
	validations      []cel.Program
	auditAnnotations map[string]cel.Program
}

func (p *CompiledPolicy) Evaluate(
	ctx context.Context,
	resource *unstructured.Unstructured,
	namespace *unstructured.Unstructured,
) (bool, error) {
	var nsData map[string]any
	if namespace != nil {
		nsData = namespace.UnstructuredContent()
	}
	matchConditions := func() (bool, error) {
		var errs []error
		data := map[string]any{
			NamespaceObjectKey: nsData,
			ObjectKey:          resource.UnstructuredContent(),
		}
		for _, matchCondition := range p.matchConditions {
			// evaluate the condition
			out, _, err := matchCondition.ContextEval(ctx, data)
			// check error
			if err != nil {
				errs = append(errs, err)
				continue
			}
			// try to convert to a bool
			result, err := utils.ConvertToNative[bool](out)
			// check error
			if err != nil {
				errs = append(errs, err)
				continue
			}
			// if condition is false, skip
			if !result {
				return false, nil
			}
		}
		return true, multierr.Combine(errs...)
	}
	match, err := matchConditions()
	if err != nil {
		return false, err
	}
	if !match {
		return true, nil
	}
	variables := func() map[string]any {
		vars := lazy.NewMapValue(VariablesType)
		data := map[string]any{
			NamespaceObjectKey: nsData,
			ObjectKey:          resource.UnstructuredContent(),
			VariablesKey:       vars,
		}
		for name, variable := range p.variables {
			vars.Append(name, func(*lazy.MapValue) ref.Val {
				out, _, err := variable.Eval(data)
				if out != nil {
					return out
				}
				if err != nil {
					return types.WrapErr(err)
				}
				return nil
			})
		}
		return data
	}
	data := variables()
	for _, rule := range p.validations {
		out, _, err := rule.Eval(data)
		// check error
		if err != nil {
			return false, err
		}
		response, err := utils.ConvertToNative[bool](out)
		// check error
		if err != nil {
			return false, err
		}
		// if response is false, return
		if !response {
			return false, nil
		}
	}
	return true, nil
}
feat: add validating policy compiler (#11906) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-13 13:56:36 +01:00			`package policy`

			`import (`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`"context"`

feat: add validating policy compiler (#11906) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-13 13:56:36 +01:00			`"github.com/google/cel-go/cel"`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`"github.com/google/cel-go/common/types"`
			`"github.com/google/cel-go/common/types/ref"`
			`"github.com/kyverno/kyverno/pkg/cel/utils"`
			`"go.uber.org/multierr"`
feat: add validating policy compiler (#11906) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-13 13:56:36 +01:00			`admissionregistrationv1 "k8s.io/api/admissionregistration/v1"`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
			`"k8s.io/apiserver/pkg/cel/lazy"`
feat: add validating policy compiler (#11906) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-13 13:56:36 +01:00			`)`

			`type CompiledPolicy struct {`
feat: add auditAnnotation in CEL Compiler (#11918) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2025-01-14 15:16:29 +02:00			`failurePolicy admissionregistrationv1.FailurePolicyType`
			`matchConditions []cel.Program`
			`variables map[string]cel.Program`
			`validations []cel.Program`
			`auditAnnotations map[string]cel.Program`
feat: add validating policy compiler (#11906) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-13 13:56:36 +01:00			`}`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00
			`func (p *CompiledPolicy) Evaluate(`
			`ctx context.Context,`
			`resource *unstructured.Unstructured,`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`namespace *unstructured.Unstructured,`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`) (bool, error) {`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`var nsData map[string]any`
			`if namespace != nil {`
			`nsData = namespace.UnstructuredContent()`
			`}`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`matchConditions := func() (bool, error) {`
			`var errs []error`
			`data := map[string]any{`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`NamespaceObjectKey: nsData,`
			`ObjectKey: resource.UnstructuredContent(),`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`}`
			`for _, matchCondition := range p.matchConditions {`
			`// evaluate the condition`
			`out, _, err := matchCondition.ContextEval(ctx, data)`
			`// check error`
			`if err != nil {`
			`errs = append(errs, err)`
			`continue`
			`}`
			`// try to convert to a bool`
			`result, err := utils.ConvertToNative[bool](out)`
			`// check error`
			`if err != nil {`
			`errs = append(errs, err)`
			`continue`
			`}`
			`// if condition is false, skip`
			`if !result {`
			`return false, nil`
			`}`
			`}`
			`return true, multierr.Combine(errs...)`
			`}`
			`match, err := matchConditions()`
			`if err != nil {`
			`return false, err`
			`}`
			`if !match {`
			`return true, nil`
			`}`
			`variables := func() map[string]any {`
			`vars := lazy.NewMapValue(VariablesType)`
			`data := map[string]any{`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`NamespaceObjectKey: nsData,`
			`ObjectKey: resource.UnstructuredContent(),`
			`VariablesKey: vars,`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`}`
			`for name, variable := range p.variables {`
			`vars.Append(name, func(*lazy.MapValue) ref.Val {`
			`out, _, err := variable.Eval(data)`
			`if out != nil {`
			`return out`
			`}`
			`if err != nil {`
			`return types.WrapErr(err)`
			`}`
			`return nil`
			`})`
			`}`
			`return data`
			`}`
			`data := variables()`
			`for _, rule := range p.validations {`
			`out, _, err := rule.Eval(data)`
			`// check error`
			`if err != nil {`
			`return false, err`
			`}`
			`response, err := utils.ConvertToNative[bool](out)`
			`// check error`
			`if err != nil {`
			`return false, err`
			`}`
			`// if response is false, return`
			`if !response {`
			`return false, nil`
			`}`
			`}`
			`return true, nil`
			`}`